Now, at the risk of sounding too philosophical, what does it even mean “to test one’s security”? At this early stage of our effort, all bets are off, but we do want to look into testing of security technologies and processes (such as detection and response processes), with the focus on outcomes, not controls. In essence, we want to look into testing the effectiveness, not the presence, of security controls.

Please share how you think of TESTING SECURITY … and please don’t say that “a good pentest should be enough security testing for everybody.”

Note that we will try to keep the focus of this on actually TESTING, not other forms of evaluating, measuring, assessing or guessing about security … Asking people how secure they think they are isn’t testing. Questionnaires isn’t testing. Reviewing policies isn’t testing. Even reviewing the lists of controls they think they deployed isn’t testing (IMHO).